Physical isolation for gas SCADA, AGI control and safety systems
Gas operators run a high-consequence SCADA estate across compressor stations, above ground installations and pressure reduction stations. Firevault Control puts a real boundary between the office, the SCADA control room, the AGI telemetry and the safety systems behind them.
Utilities - Gas
When SCADA, AGI control and safety systems share the same network, every software vulnerability becomes a candidate for a pressure or supply incident.
100%
Safety system isolation from control fabric
Zero
Persistent remote access to AGI and PRS controllers
7
Control modules deployed per gas zone
Full
Evidence for NIS2, COMAH and Ofgem
Gas control networks combine high-consequence operations with broad reach.
High-consequence pressure control
Compressor and pressure reduction kit governs the safe envelope of the network. Unauthorised setpoint changes carry safety and supply consequences.
Distributed AGI estate
Above ground installations and PRS sit across the network and depend on remote telemetry to be operated safely.
Shipper and market interfaces
Shipper nominations and market interfaces sit close to the operational estate, creating paths that attackers can traverse.
The Scenario
Scenario: AGI controller firmware compromise
Attackers compromise a vendor firmware distribution server and push a malicious update into an AGI controller during a routine maintenance window. The update propagates through a shared engineering network to several neighbouring sites before it is detected. Operators lose confidence in the integrity of pressure readings for hours. With Firevault Control, vendor firmware crosses into operations only through a brokered path with origin and integrity checks. Updates that reach an AGI controller require named, multi-party approval per site. The safety integrity system sits on its own fabric and cannot be reached from the control network at all. Verified baselines for AGI configuration are held on infrastructure that has no live network path to production and require multi-party authorisation to release.
"If the safety system and the control system share a network, you do not have a safety system. You have a wish."
Where each Control module is deployed across compressors, AGIs and the distribution grid.
Gas operators run a high-consequence SCADA estate across compressor stations, above ground installations and pressure reduction stations. Control puts a real boundary between the office, the SCADA control room, the AGI telemetry and the safety systems that keep pressure in band.
Grounded in NIST SP 800-82 Rev. 3, IEC 62443-3-2, HSE COMAH guidance and Ofgem security expectations.
Cloud / Internet
External
Shipper and cloud traffic terminates at the perimeter.
Enterprise
IT
Office, shipper nominations and corporate systems.
Office, shipper nominations and corporate systems.
Office cannot reach the DMZ on its own.
Industrial DMZ
DMZ · trust boundary
Brokered exchange. No straight-through paths into operations.
Brokered exchange. No straight-through paths into operations.
Engineering and flow data crosses on scheduled, approved routes.
Operations systems
OT
Engineering and SCADA on separate fabrics.
Supervisory control
OT
Control room view of transmission and distribution.
Control room view of transmission and distribution.
Pressure and valve actions need named, authorised approval.
Basic control
Field
Above ground installations, pressure reduction, compressors.
Above ground installations, pressure reduction, compressors.
Safety integrity sits on its own fabric. It is never the same network as control.
Safety systems
Field
Safety integrity. Last line.
Safety integrity. Last line.
Physical
Field
Crown jewels
Off-network
Detail callout · A
Offline Secure Storage
AGI configurations, compressor and PRS baselines, safety system records and the recovery sets you need after an incident.
Offline by design · secure by defaultModules & symbols
Where each module is deployed, and what it does there.
One row per module. Placement on the network, then plain-English purpose at that point.
-
Isolate
At every Purdue boundary and around the SIS
Office, SCADA, AGI control and safety systems all sit on separate physical fabrics. Safety integrity is never on the same network as control.
-
Firebreak
On the L5 to L4 link and the L4 to L3.5 link
Real off switches on the public and office boundaries during a live incident.
-
Validate
On the L5 to L4 link and inside the L3.5 DMZ
Shipper, engineering and flow traffic is checked for origin and integrity before it crosses into operations.
-
Relay
Inside the L3.5 DMZ
Cross-domain data moves on scheduled routes only.
-
Execute
Inside the L3.5 DMZ and on the L2 to L1 link
Firmware, pressure setpoints and valve actions hold until the right authority signs them off.
-
Lock
On the L2 to L1 link and the L1 to L0 link
Access to AGIs, PRS and compressors ties to named engineers. Standing access is the exception.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sovereign gas data
Operational and shipper data remains within the agreed jurisdiction in carefully selected Firevault Bunkers.
Multi-party control
Pressure and major valve operations require sign-off from both control room and security teams.
Regulatory evidence
Continuous compliance evidence aligned to NIS2, HSE COMAH and Ofgem cyber expectations.
Out-of-band management
Cellular and dedicated paths keep the control plane reachable when primary networks are compromised.
Tamper-proof logging
Every access, configuration change and pressure action lands in immutable logs on physically separate infrastructure.
Verified configuration baselines
Verified baselines of AGI, PRS and compressor configuration enable a known-good restore of control-plane state.
Demo to Live
Adoption Guide
Network assessment
Map every path between corporate IT, SCADA, AGI control and the safety integrity systems to identify convergence and persistent vendor connections.
Zone architecture design
Design physically separated zones aligned to your transmission and distribution estate, with Control modules at each boundary.
Non-production pilot
Deploy in a test environment mirroring an AGI and SIS pair with full zone separation, multi-party authorisation and compliance logging.
Operational deployment
Full deployment across the gas estate with verified configuration baselines, continuous compliance evidence and 24/7 out-of-band management.
Network assessment
Map every path between corporate IT, SCADA, AGI control and the safety integrity systems to identify convergence and persistent vendor connections.
Zone architecture design
Design physically separated zones aligned to your transmission and distribution estate, with Control modules at each boundary.
Non-production pilot
Deploy in a test environment mirroring an AGI and SIS pair with full zone separation, multi-party authorisation and compliance logging.
Operational deployment
Full deployment across the gas estate with verified configuration baselines, continuous compliance evidence and 24/7 out-of-band management.
Explore More
Control for Utilities
The parent view across power, water and gas networks.
Learn more about Control for UtilitiesControl for Oil and Gas
Upstream and midstream control with vendor governance.
Learn more about Control for Oil and GasControl for Energy
Transmission, distribution and substation control.
Learn more about Control for EnergyIT/OT Convergence Threat
Physically separate IT from operational technology.
Learn more about IT/OT Convergence ThreatQuestions
Frequently Asked
Speak to the team to organise a PoC
Walk through your blueprint with the Firevault team and scope a proof of concept on your estate. 30 minutes, no sales pitch.